Security: Never mind the products, educate the users

Security experts at the Cebit trade show see informing users as the top priority when it comes to improving IT security

If they could change one thing to improve IT security, the assembled experts on a panel at Cebit would better educate their users.

"Education is important: We're all too naïve," said Eddy Willems, global security officer for G Data Software, speaking in a panel session on security during the Cebit Global Conference, part of the Cebit trade show in Hanover, Germany, on Wednesday.

"People need to take security seriously. We can do a lot at a technological level, but if they choose a weak password, they are at risk," said Joachim Schaper, vice president of research at AGT Germany, which provides physical, as well as IT, security services.

Richard Marko, CEO of ESET, an antivirus software vendor based in Bratislava, Slovakia, would rather users kept their data where his desktop security products can see it: "I wish users would think twice before they decide what it is appropriate to put into the cloud," he said.

However, improved user education can only accomplish so much: IT systems developers also need to make systems simpler to use safely.

"If you want millions of people to use a service, it needs to be easy, without the need for them to install more software," said Georg Rau, senior vice president at Deutsche Post, another panellist.

But the obligation isn't only on customers to learn: it's also on suppliers to inform. Buyers can't make educated decisions about how to set up and run their IT infrastructures unless vendors supply them with the necessary information.

Nowhere is that more the case than in the market for cloud computing services, where vendors vaunt the fact that their customers don't need to know how things work.

"We need transparency from cloud computing providers. We should know how their systems are organized, and we should know about the people they hire," said Natalya Kaspersky, chairperson at Kaspersky Lab.

She wants to see more transparency in such services, and better standards for security practices, so that customers can evaluate service providers.

"If the level of security and transparency is very high, I may be willing to pay more. If I don't care about security, I can pay less. But I should have that choice," she said.

Schaper drew a comparison with the automobile industry, where manufacturers spend millions conducting crash tests to demonstrate the safety of their vehicles. Because the tests are standardized across the industry, the results can be compared: That's important, he said, because safety might be a decision factor when purchasing a car.

While the vendors of IT systems in general, and of security products and services in particular, do conduct tests of their products, these are not always directly comparable, Schaper warned. "If you go to other providers, they might have a different standard," he said. "It still needs a lot of work from vendors to make these tests transparent and standard."

The chairman of the panel session, Martin Gutberlet of analyst firm Gartner, came to the same conclusion.

"There's still a lot of work to do on standards and certification" of security practices, he said.

But, he wondered, "Are we willing to pay for it?"

Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at

Join the CSO newsletter!

Error: Please check your email address.

Tags AGT GermanyGartnercebitDeutsche PostsecurityG Data Softwareesetkaspersky lab

More about Deutsche PostGartnerIDGKasperskyKaspersky

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Peter Sayer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts